Windows open UDP and TCP connections analysis using Elastic stack

I've been wondering how many UDP and TCP connection were active when using my PC during daily usage...

How to collect stats

In Windows, you have several ways to collect UDP and TCP connections:

• netstat -anb (and variants), available using command line
• tcpvcon -acn (and variants), free and available from Microsoft
• currports, free and available at Nirsoft website

You can do pretty the same on Linux using netstat or lsof...

I choose currports since it has a rich set of data available in output, such as process names, service name, etc...

You can just run it and perform the following steps:

• File - Advanced Options and set the pattern specified in currports-log-format
• Options - Auto Refresh - 4s
• File - Log Changes

The file should be populated with some network information as in this sample.

How to parse the CurrPorts log

Logstash to the rescue!

I'm not covering the part on how to install it, since everything will work out of the box. The official documentation is quite rich.

You have to provide 2 files:

• The logstash pipeline configuration (which will parse and enrich the data)
• The elasticsearch index template (which will tell Elasticsearch how to parse the JSON document)

I am resolving hostnames and enriching the data with GeoIP information, thanks to the Logstash filters.

You have to adjust the file path in the logstash pipeline configuration file to match the location you placed the 2 files in your system.

To see what will be sent to Elasticsearch, uncomment the line stdout { codec => rubydebug } in the output section.

Once you're done you can try to run:

logstash -f logstash-netstat.conf

You should see something like this:

...{

            "Added_On" => 2017-04-02T17:20:04.000Z,
          "Local_Port" => "55572",
    "Remote_Host_Name" => "...",
          "Event_Type" => "Removed",
       "Local_Address" => "127.0.0.1",
          "Process_ID" => "0",
                "path" => "...\\cports-x64\\cports.log",
        "Process_Name" => "Unknown",
          "@timestamp" => 2017-04-02T17:22:04.000Z,
      "Remote_Address" => "127.0.0.1",
               "State" => "Time Wait",
         "Remote_Port" => "55573",
            "@version" => "1",
                "host" => "LUCA-PC",
            "Protocol" => "TCP"
}
{
              "Added_On" => 2017-04-02T17:22:00.000Z,
               "Company" => "Oracle Corporation",
            "Local_Port" => "55757",...

How to visualize the data

You have to install Elasticsearch and Kibana, even on another machine (or use a remote instance on Elastic Cloud...).

In case you want to show a Tile Map, you'll have to tweak few lines in the Kibana configuration file (see here to use OpenStreetMaps).

Create view visualizations:

• a tag cloud on the Process_Name field
• a Tile Map on the Remote_Address_Geo.location field
• an histogram with counts

And you'll get a dashboard!

All necessary files are available on GistHub.